[
https://jira.jboss.org/browse/SEAMREMOTING-10?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Shane Bryzak moved JBSEAM-3592 to SEAMREMOTING-10:
--------------------------------------------------
Project: Seam Remoting (was: Seam)
Key: SEAMREMOTING-10 (was: JBSEAM-3592)
Component/s: (was: Remoting)
> Security concerns regarding Seam.Remoting.eval()
> ------------------------------------------------
>
> Key: SEAMREMOTING-10
> URL: https://jira.jboss.org/browse/SEAMREMOTING-10
> Project: Seam Remoting
> Issue Type: Task
> Reporter: Drew Kutchar
> Assignee: Shane Bryzak
>
> A malicious user can import the seam/remoting/resource/remote.js and use
> Seam.Remoting.eval() to bypass @WebRemote restrictions and call any arbitrary
> method? This can be a very serious security hole, even if Seam Remoting is
> not enabled (by marking any components using @WebRemote).
> Shane Bryzak stated that he is aware of this issue and has disabled
> Seam.Remoting.eval() functionality until he finds a way for expression
> evaluations to honor the @WebRemote annotation.
> This JIRA is created to track Shane's work.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
https://jira.jboss.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
_______________________________________________
seam-issues mailing list
[email protected]
https://lists.jboss.org/mailman/listinfo/seam-issues
